Jean-Michel Picod

In this website you will be able to find all the papers and talks I have published and also read about projects related to reverse engineering, forensics, software defined radio, computer security and electronics. Some of them are work related but most of them are done on my spare time.

As I also like photography, there is also a gallery in this website with some of my shots.

This post will guide you through all the steps it took me to support challenges that were released in 2016 by Riscure. From schematics review to an automation script, you will learn how to extend Chipwhisperer-lite, a versatile platform for side channel attacks and glitching and using it to crack an AES 128bit encryption key in less than a minute.

This post provides additional technical details about the physical part of the encrypted USB attacks that we demonstrated a few month back in our talk at BlackHat USA 2017. In particular I will cover how to remove the epoxy and how to reball a BGA chip. If you are considering auditing your own USB key or are curious about the challenges we faced, this article is for you.

Welcome to my electronic lab! Over the last few years or so many people asked me about my personal lab, so today I am giving you a virtual tour of it.

We will go over what gear I use and how I set everything up so I can do my experiment efficiently. Along the way I will answer the questions that has been asked about my setup in my various posts. In particular, I will provide a rationale of why I choose one type of hardware versus another. The quantity of hardware described in this post might seems overwhelming but keep in mind here that it took me years to build this lab. I merely add a new piece here and there based of my needs and opportunity.

Disclaimer: I don’t claim my setup is the best but it works for my use-cases: tinkering with electronic, doing security research and repairing various pieces of equipment. If you have suggestions on how to improve it, let me know.

Lot of people complained during the past years that DPAPIck was only supporting Windows XP and Vista and basically wanted to know if one day we were going to support newer versions of Microsoft Windows.

Thanks to Francesco Picasso (@dfirfpi), this project now supports Windows versions from XP to the latest Windows 8.1 (sorry, we haven’t tested it on Windows 10 yet). He did the work and sent me a patch that allowed DPAPIck to run against Windows 7 blobs but it was also breaking XP support at the same time. So I took some extra time to give that a bit of polish and to improve a few things on how the tool was processing data.

First of all, I am pretty happy to write this article because I usually don’t have a lot of opportunities to write about forensics topics on this blog. The main reason for that situation is because I am almost always working on that field for my employer so this does not have a place on this blog . But this time it was related to a spare time project I did during my holidays!

You’re not going to have a lot of details about the whole project because it is still ongoing and moreover I am working on it with a friend and we hope to do a bigger publication once we are done. Anyway, I went through a lot a caveats so I thought it was worth writing about that step in our study.

Few times ago I have published an article about two RFID locks that I encountered while traveling and a rough blackbox analysis of these two technologies. Unfortunately, back then, I only had few samples of key cards regarding Vingcard’s locks and that led me to take false assumptions.

But I was lucky enough very recently as to meet this lock once more. And because it was a three weeks stay, it was pretty easy to purposely tell the reception that my card was not working anymore, a couple of times, in order to have them reprogram it (yay, I’m a bad guy!). The purpose here was, first, to check what values can change over time (they usually encode the duration of the stay instead of the checkout timestamp) and secondly, to ensure that there is not a kind of timestamp-dependant key.

For those who want to read the whole story from the beginning, here are Part 1 and Part 2.

I haven’t talked about this project for a while but I was still working on it. So, what took me so long that I didn’t write about it?

Well, as I told you in Part 1, my final goal is to be able to control the robot vacuum with a GoodFET and a transceiver. The robot relies on an A7105 transceiver which is not directly supported by the GoodFET project and I don’t want to add support for it as I have already written code to support a Chipcon CC2500 transceiver that might be radio-compatible with the Avantcom one.

Knowing all the parameters we need by spying the configuration phase on the SPI bus from the remote control should have been enough to build another remote. But sometimes things don’t go well!

While reading the slides of NCCGroup at BlackHat Asia 2014, the picture of the Facedancer21 looked pretty familiar to me. And it was not a coincidence because this was actually the picture I took last year of my own Facedancer to illustrate one of my blog post :-)

Hello Jean-Michelle, I have a question about the artivel 'From NAND chip to files'. I copied the content of a NAND chip to a bin file with TNM5000, the bin file is approx. 4,5 GB. Do you have any idea about how to read the files from the bin file? I tried to mount it in Linux but it seems the maximum size is 256MB. Thank you for your help! Best regards, Laszlo

Hi Jean-Michel, I'd like to dump the firmware of my Samsung SM951 M.2 NVMe drive. Do you know how to do that?. If so, could you create a tool to dump firmwares of SSDs (SATA/M.2). I'm telling you this, because there are many people like me that are looking for a tool or utility to do that, but it haven't appeared yet. Thank you!!.

Thank you for your reply at 7 January. I have a additional question about the demonstration in Airbus CyberSecurity’s blog. Would you please suggest the specifications (like the product name ) of your experiment equipment DOOR SENSOR, ZWAVE controller USB, ALARM DEVICE? Because I really want to follow your project! Thank you.

Hello. I've wanted to contact you with the e-mail but there isn't any information about you. I have some questions about your project presented in Blackhat 2014. That's are about the ZWAVE protocol. Firstly, I downloaded the grc(Zwave in grc) files from the 'bitbucket'. Is it just for the sniffing the Zwave pkts? It can do the TX like directly turning off the Zwave light? and Could I get the demo videos and the descriptions about it ? Thank you!

Hi Jean-Michel, I am also working one a tcp stream reassembly utility and I see that you have done some work in defining the C wrapper for the libnids reassembly patch for Python. I was wondering if you have actually used the resume function in Python ? I have tried but are not getting a usable structure from the callback in Python. Do you perhaps have a sample Python function call or some tips maybe in order to use this function in Python? Regards, ChrisA

This talk provides a step-by-step introduction on how to use deep learning to perform AES side-channel attacks. After providing a brief overview of what side channels and deep-learning are, we walk you through how to use Tensorflow to build an end-to-end attack that will recover TinyAES keys from SMT32F415 chips using deep learning. Along the way we will discuss what work and what doesn't based on our experience attacking many hardware AES implementations over the last few years.

Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data.

In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice

The large adoption of wireless devices goes further than WiFi (smartmeters, wearable devices, Internet of Things, etc.).

The developers of these new types of devices may not have a deep security background and it can lead to security and privacy issues when the solution is stressed.

However, to assess those types of devices, the only solution would be a dedicated hardware component with an appropriate radio interface for each one of them.

That is why we developed an easy-to-use wireless monitor/injector tool based on Software Defined Radio using GNU Radio and the well-known scapy framework.

In this talk, we will introduce this tool we developed for a wide range of wireless security assessments: the main goal of our tool is to provide effective penetration testing capabilities for security auditors with little to no knowledge of radio communications.

If you ever wanted to push Windows offline forensic to the next level, come to our talk where we will show you how to use our open source tool OWADE (Offline Windows Analyzer and Data Extractor) to recover many interesting information from a used hard drive including web credentials, instant messaging credentials and user habits information.

We will walk you through the entire recovery chain process and demonstrate how to use OWADE to handle Windows various level of encryption (Syskey, DPAPI…) and extract the maximum information from used drives. OWADE is based on our work on DPAPIck our tool to decrypt DPAPI secrets.

We will present various statistics we computed on the data we gathered from the eBay used hard drive we bought to test and develop OWADE.

The Data Protection API (DPAPI) plays a key role in Windows security: This API is meant to be the standard way on Windows OS to store encrypted data on the disk. DPAPI is used by many popular applications including Internet Explorer, Google Talk, Google Chrome, Skype, MSN (6.5-7) to encrypt their passwords. It is also used by Windows itself to store sensitive information such as EFS certificates and Wifi (WEP and WPA) keys. DPAPI uses very opaque structures to store these encrypted data on disk and the available documentation is very sparse. Therefore prior to our work it was impossible to extract and analyze these secrets offline for forensic purposes. This is a particular huge issue for files encrypted using EFS because unless the EFS certificate protected by DPAPI is recovered these files can't be decrypted and analyzed. To address these issues, we did reverse the DPAPI and in this presentation will provide a complete walkthrough DPAPI and its structures. Afterward armed with this knowledge, anyone interested in windows forensic will be able to deal with data stored with DPAPI. We will cover the change made by Microsoft from Windows XP up to Windows Seven. Finally we will demonstrate and release DPAPick (www.dpapick.com) which we believe, is the first tool that allows to decrypt offline data encrypted with DPAPI.

This #monkey on top #sigiriya lion rock looks in thought... Or maybe he's just concentrated to not miss an open bag which may contain food. It's impressive how fast they were are spotting a slightly open zipper, opening the bag and putting their head in the bag to check for food! #travel #wildlife #srilanka #nature #animalelite #wildlifeonearth #natureisbeautiful #animalsofinstagram #animalphotography

This huge sculpture between New York hotel and the Park MGM in Las Vegas always reminds me of a very beautiful picture that @treyratcliff took at Burning Man a few years ago.

Birds and squirrels in Sri Lanka, although wild have no fear of humans. They now that they won't get harmed and therefore they don't hesitate to beg for food directly at your table!
#travel #bird #srilanka #animals

Amazing sunset tonight in Zürich.
I only had my cellphone with me to take the shot. This confirms that the best camera is indeed the one you have with you when you need it 😊
#myswitzerland
#sunset #zurich #teampixel

The sky was very stormy this night and a few minutes later some lightnings were visible in the clouds. But the blue hour on the Trocadéro and La Défense in Paris, viewed from the last floor of the Eiffel tower was nice with the city lights that were slowly turning on.
#bluehour #paris #eiffeltower #trocadero #ladefense #cityscape #france #sunset

A picture I took when I was visiting Solothurn in Switzerland. The weather was not too bad for autumn.

A picture I took in London, next to a beautiful canal in a peaceful place. We got some rain but shortly after the clouds started to fade away and the sunset reflecting in the glass building was really nice.
#goldenhour #london #reflection #clouds #urban #travel #urbanaisle #travelandlife #wonderful_places #thelighterman #granary #urbanandstreet